Webinar Recording

Business-Centric, Cloud-Aware Identity and Access Management


Log in and watch the full video!

Kuppinger Cole Webinar recording

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Good afternoon, ladies and gentlemen, this is Martin Kuppinger of cooking a cold welcome to our cooking, a cold webinar business-centric cloudware identity and access management. This webinar is supported by Siemens. We will have two or three speakers in that case today. One of them will be marked equipping of a call. The Analyst will be and of Siemens before we start some general information and some housekeeping information. And afterwards, I'll talk briefly about the agenda, the service, my part of the presentation, a call is an Analyst organization. Based in Europe, our focus is providing enterprise it research advisory, decision support, networking for it professionals through our subscription services. This provide access to our research, for example, to the Analyst through advisory services and through our events. Our main event is the European identity conference, which is co-located to the clouds conference. Those conference held temps to 13th of May, 2011, and Munichs around about four weeks away from today and sponsorship opportunities.
You find link here and you could register now and not think it's definitely an event you shouldn't miss have a look at the agenda. It's probably the most interesting agenda we've ever had. And we always had very, very interesting agenda for our event with a lot of speakers or more in 100 speakers, definitely an event versus to attend, to learn everything about so leadership and best practices, identity management, GRC, and cloud security. So have a look at our event regarding the webinar, some guidelines for the webinar. First of all, you will be muted central. You are in fact muted central, so you don't have to mute or unmute yourself. You don't have to control these features. We will record the webinar and the recording will be available by tomorrow, as well as the presentations you'll see today will be made available as PDF versions for download Q and a will be at the end of the webinar.
But you can enter your questions at any time using the questions tool in the go to webinar control panel, which you'll find at the right side of your screen. So you just enter your question there and I can read it and then we can pick it up. Usually we pick them, we answer them at the end. In some cases, we might pick a question during the webinar, if it's appropriate. I always recommend that you enter your questions once they come to your mind so that we have a comprehensive list of questions available when we are ready with two presentations within today's webinar, moving forward, directly diving into the topic, our agenda for today, the first part of the agenda, which will be done by me. The presentation is about key elements of a future proof and cloud ready identity and access management. Following me, there will be a try presentation of ING and Kubo from Siemens.
They will talk about case studies and broad features of Siemens theory, identity, and DX audit, and how to realize an identity governance solution that really creates business value. The third part, like I've mentioned before will be done the Q a session. So that's what we have in mind for today's webinar. And I will directly start with my part. So when talking about identity and access management, what are the elements? So what does it really consist of? What do we need for and say complete IM solution, what might be elements there and how do these things fit together? And afterwards, I will look at what are the things which we have to consider to have a Futureproof solution and cloud ready solution. So I will then move forward within these, the keywords out of our, of the title of today's presentation. So when looking at IM I always like to structure it according to the four A's, which are pretty well known, which is administration, authentic authorization, auditing, and administration and factors.
When it's about managing users, storing the user at entities and all that type of things. And, and the main technologies we have, there are directories itself, the meter virtual directories, where I probably think that virtual directories are pretty interesting thing. Delegated administration features, which are commonly a part of provisioning tools. The provisioning has probably the coing decides the directory itself. So the directory systems, we need to store the information, provisioning something to distribute information about users, different directories, and finally, also some sort of P XM capabilities. So P XM is what I use as an acronym for this access account that I user management, which is, which are terms, which are somewhat overlapping and used in somewhat, somewhat, let's say overlapping also sometimes disparate ways by the marketing of different vendors. So chosen to decided to use term P XMS and abbreviation for all this privilege management things we have out there.
When we look at the authentication and it's about strong authentication, it's about single sign and web single sign on about Federation as a, probably the key technology when it comes to authentication, besides for sure the additional strong a things, but Federation the single enables us to, to really federate users from different organizations, from different parts of our organizations and so on, and also the versatile and risk based authentication parts of versatile being the ability to flexibly change the authentic authentication technologies we are using to combine them to be flexible enough to, to be reactive. When we have to change one or the other technology, the area of authorization, we have web access management. We have Federation again, because Federation is somewhat distributed between authentication authorization. So one part of it is we also indicat user, the other party address this user and users information provided for authorization.
So Federation appears on bias, both sides, entitlement management, which more about the granular control of entitlement. Also the ability to, to have applications ask and cross authorization system, whether and authorization should be gradual or not the risk in context based parts of authorization, again, British whatever management, because there's also part of authorization. So which administrators allow to do what? So that's also part here in auditing again, by the way, P XM appears because it's about auditing what auditors are doing. Again, another part of the story, but we have to especially access governance, themes of security, information and management. So some additional technologies we have in that areas. So there's broad set of technologies. If I would have to, to pick the, the technologies where, which are the most important ones, for sure these are direct risk, this is provisioning still cause we need something which distribute changes.
This is definitely Federation. This is more looking to the future entitlement management, our P XM capabilities, because the produces are something we have to consider. And it's it's access governance where I would start to look at not saying that the other things are relevant, but probably the things which are sort of the most important ones to keep in mind. When we now start to look at something which I would call future proof, I've made a small quadron there looking at some different aspects of, I am becoming future proof. One aspect is to be cloud ready. I won't stress this at that slide because next slide will specifically focus on the future proof part of I am. So that's something I will discuss later on. I think another very important thing is it has to be business focused business focused. What does it mean? A service?
The, the last three of the bullet points? It means I should have, I have to have not only should have, must have adequate and also integrable interfaces. What do I, what do I mean by that? Adequate means the business user has to work with things he understands. If it's about re-certification, then someone who understands what he has to re-certify has to do it. So the information provided to him has to be adequate because he has to understand what he's doing. If he doesn't understand that he can't do his job. If someone wants to request access for one of his employees in his department, he needs to understand what he requests for. So that has have to be business roles or competencies or other things, which are the level of his understanding, not something abstract one. So future move means enhancing what you might have done before from an administrative and a technological perspective towards the business users, making things understandable for him, making it easy for him to request things, such request, access, to request, or to enter a new user, if you're the one responsible for some partner management or other things.
So it really has to be a focus or an interface, which is adequate to the business users, not only to technical user. And I think if I look at the overall market, many when things definitely are moving forward in that area. So over last years, things have changed from, from being, let's say pretty much technology and administrator driven towards being much more end user business, user driven that's. So, which is from my perspective, key element for future being, I am being future proof the next quarter, and sort of comply or is called compliance. So IM has to be to fulfill the compliance requirements. I remember some, some weeks ago I had a very interesting experience where Gar met one of the, the integrators in the market again. And he's had, the funny thing is it was at the customer in that case, doing a POC.
The funny thing is the customer is driven really, or the approach is driven really by compliance, regulatory compliance requirements. And he that, if it goes back some three or three years, he said, oh, I never would have trusted or belief Martin Kuppinger that compliance really will become a major driver for our IM today. It is recently I've been at another advisory customer and we had a steering board committee meeting, and there were three members of the board in the steering committee meeting something, which you suddenly have, would have observed some few years ago. So again, that's something which really fundamentally has changed. Compliance is a key driver. And that also maps to the business focusing the, the level of attention has changed. So I am much more at the attention of the board than it ever has been before. That means also we have to be able to deal with historical audit data.
We have to support things like that. We have to support re-certification capabilities in best case, they should be sort of multilayered so that we can, re-certify different things. We need to support integration points to our business GRC initiatives, if we have them running. So how can our controls provide information to the higher level controls from a business perspective? So that's a very important thing, supporting compliance for requirements. And that's something where the both from speakers, Siemens will talk about much today is a very important thing. And it's really one of the key things to solve today. And overall I am to be Futureproof also has to be flexible. It requires open interfaces, APIs or web services, toolkits integrate with other things, be able to solve the problems from what with, with technology. You have there as broad as you can, but also being able to, to work with what is out there.
Because we have a situation today where we have a lot of different technologies implemented today, and it's really about how can we make these things work together? How can we deal with that? We have again, another area which is support for different architecture options. So how can we integrate these things? That means, again, if you have interfaces, you have solved a lot of your issues there. And then it's about a cloud ready part. So I've said I am being cloud ready. It's a very important thing because the situation today is simply as we have cloud something, which is out there, which we can't ignore anymore. Cloud computing, external cloud services, privately hosted cloud service. All these things are effect today, and we have to deal with them and we have to deal with them, especially also from the perspective of how do we secure access, how do we control access?
How do we audit access to these services? How do we handle really this cloud services? That's something which also has, from our perspective, fundamentally changed, which means we have to deal with it. And that means we have to deal with that's not only cloud, but it's a part of the thing deal with different types of users. We have our internal users, we have our external users. So we have our internal services, external services. We have our internal deployment, our external deployment, everything is changing. It's not only looking at our internal it with our employees and our internal systems, which we run or manage by a host by, by an on premise. I am. So it's about having a much more complex world and internal users. That's something which even if you don't deal with cloud services, you have to look at the employees. You have to look at the something you're familiar with, but you have the excels as well.
And they are becoming more and more important. You have to integrate your customers, your partners, and other types of external parties, because the way you are building your business process. And again, that business ready, supporting business process to span not only some parts of your organization, but span also the entire value chain to your partners, to your customers, to your suppliers. That's something which is very important. Disability is a key thing to solve the services. You have to manage your premise applications. For sure. Who's allowed to access these applications, who are the users for them, okay. We are familiar with, with this, but there are sales offerings. How do you manage your users for Salesforce? Do com Salesforce com definitely is one of the better ones. If it comes to identity and access management regarding the interface they provide, in some cases, things are looking much darker than we say, first.com.
You also have to look at your PAs or platform as a service and I infrastructure service management aspect. So how do you deal with them? How do you deal with the users, which are, which are sort of your operators, administrators, of what you are using at Amazon E two, for example, or at wherever. So things are getting more complex and you have to have a solution which the process, and eventually the solution even able to be run by hosted services, sort of a cloud service, or the ability to decide which parts of your system do you run, where you always need to control them, the services by yourself. That's a key element. However, the, the option to say, okay, I use a hosted service for that. That might be something which is very interested. So when it comes to, to business centric, cloud ready at anti access management, it's about really opening up things, going away from the classical administrative administrative perspective, making things withable and usable to the business users for what they really need to do, what do they need to do?
They need to reer. They need to request access. These are main things they have to do opening up for different types of scenarios. So opening up beyond the borders of the enterprise and that could be done only. And that's a, I think a very important thing, especially when we look at this, that always has to be done virtually everywhere has to be done is a focus on a hybrid environment. So at least for virtually any midsize and large organization, it's not that you will do everything internally or everything externally. It's about looking at hybrid environments. So, so you have one business and this business spans border here, enterprise, because you're dealing with customers because you're dealing with suppliers and it's one side of business process, regardless of whether you are in the business process, based on external cloud service or an internal it service doesn't matter.
It's the same business. So this business requires one, it that a cloud it and an internal it, and on premise, it, it requires one it, and to manage the access, the users and all that thing, these things for that one, it, you need one. I am, you don't need a cloud IM and a on-prem IM you need one IM. And from my perspective, there's no error, at least very, very little value in solutions. We run in the cloud and support cloud only, especially if you look at IM cause currently we we're working on getting these things together, integrating these things, instead of saying, okay, and our main target is we want to know which Excel stuff is, have across all our services. And if you don't have an integrated IM we can't solve this issue. So that's where we have to look at when we look at business-centric future proof IM and being cloud ready also as a part of being future proof. Okay. That's my introduction to this topic. I will right now hand over Tolbert and I from Siemens, which I will make down the percentage right now. Okay. It's your turn.
Thank you very much, Martin, for the introduction. As long as we are setting up the slides, short introduction of our persons, my name is ER, I'm heading to expert sales group of global competent center security with Siemens. It solutions and services. My name is, and I'm responsible for the product management of the direct product suite. So let's talk, oops. In our agenda, we will start first with a small introduction about our company. Then we switch to the topic of today business center, IM and best practices from there, I will give over Tolbert to go into the detailed overview about the DX portfolio, especially this focus on cloud, where IM in the end, I will take over and give you insight into what is offering for consultancy services up to operations around security, Siemens, it solutions and services is a premium European based provider of advanced it solutions and outsourcing services with the global reach secure enterprise is one of the strategic go-to-market offerings of SIS build on this. The GCC security has more than 350 security experts to help our customers to build industry specific security solutions. This is what is announced with business centric, with a focus on the Q ID solutions S combines own IPRs and products with best in class solutions and products of other vendors.
Now in a Porwal less world where securing technology assets is no longer enough. Identity management is a key to protect core business processes. Today in this presentation, we will therefore focus on the excellence and IM product and services for cloudware security solutions. Now I am integrators and vendors have to understand the industry specific business requirements and provide best practices to their customers. Based on the advanced requirement of engineering methodology that this IM startup package contains a set of core ID lifecycle processes, which are a subset of processes. You find in nearly every organization using identity centric processes, this methodology and the package helps customers to speed up the initial deployment of IM services. And that's the base for further process integration. IM was always important building block of the governance and compliance landscape. But the change we see today is that specific business processes asked for focused IM solutions. These solutions ideally are based on a common framework of products and processes, which are easily adapted to the vertical business solution. This is what Martin has referred to as one, I N the demand for cloud services is met by financially growing number of cloud service providers. This is one of them focusing on the economy of scale and time to market even so security and privacy concerns and legal requirements must be addressed. This offers cloud ready, security product and services for the enterprise to public cloud.
Now this picture shows or tries to, to, to build up what we see today as one of the major focuses. The goal of our customers is to secure your enterprise information across all business dimensions, and also across to technical dimensions to enterprise. Now, the centric security and governance solution will therefore become the backbone, connecting the basic it infrastructure, which is indeed today, an it MC and communication infrastructure with the level of business applications and strategic decision support systems like compliance dashboards for executive management auditors and others IM is a central service, which will provide automated and secure user management with strong self service and workflow support for request approvals of rights and entitlements for all the virality of the heterogeneous. It landscape for the specific business processes IM provides enforcement for security policies and compliance requirements through advanced IM analytics and intelligence solutions. CIOs can provide consolidated information for risk management, compliance reports and audits. And this helps to answer the basic questions who at one, what rides, where when and why coming to the best practice examples. We believe that only in integration with the key business processes and based on a deep vertical knowhow guarantees best return on invest from an IBM on IM solution. Let's have a look at one example of international organization and their HR processes,
HR departments are drivings implementation of homogeneous. It support processes, which must comply to global and local data privacy and security requirements. In this picture, you see some examples like recruiting, health, safety, and environment, payroll services, and others. In addition to these core processes, the growing number of supporting processes has led to more and more complex grown. I environments in the specific project where this case study is derived from more than 36. It systems only in HR and services must be integrated into a central role based right management system. Actually three of them already based on external cloud service providers in HR says specific focus, therefore lies on the implementation of strong authentication for access to personal data, centrally planned and controlled adaptation reation campaigns. And based on the quite often sporadic use of HR applications by normal management, the efficient and secure self service for reactivation, an example would be that an S P system may disable your account after a certain period of inactivity, or of course, for reest of role and access rights. So next best practice example comes from the financial service area. As we know, and Martin pointed this out with thes act so financial industry, but driven to implement higher levels of it based control for all core processes, starting with a in depth analysis, most companies have established an integrated security management system, mostly following the 27,000 standards and are looking for ways to automate, to costly outed reporting processes,
Foreign international provider financial solutions in the business to business area IM has to provide dynamic approval functionalities, which take into account organization and the business case reflecting the specific risk level of transaction adaptation and reation processes must support the security requirements and schedules arrive of the customer specific business processes. The IM compliance reporting therefore must be delivered to fit seamlessly with the overall risk reporting and audit processes. I was involved from the beginning in the isms definition phase, and the customer asked for complete managed services based on the advances DX portfolio. That means we will provide the whole value chain of implementing consulting and managing an IM service for this high compliance area. At this point, I give over to Mr who will now give you an overview about the product offering. Thank you. I take over, as I asked, provides an integrated product suite for why does this not function?
Okay, thank you. As I provides an integrated product suite for identity and access management solutions comprising today of five different products, these products can be deployed individually or as an integrated product suite, starting with identity at the top. This identity provides a process driven, entirely customizable identity management solution for the global enterprise and organization. This thing dos lifecycle management for users and roles cross-platform and rule-based provisioning and real time web-based user self-service and delegated administration. It also includes request workflows, access certification, password management, meta directory, auditing, and report functionality. The audit right below the X identity provides for a centralized secure storage analysis correlation and review of identities related audit logs by a single user interface that provides audit auditors or security compliance officers and audit administrators with the answers to the what, when, where, who, and why questions of user access in entitlement there's directory in the middle is a standard compliant, high performance, highly available, highly reliable and secure elder and X 500 directory server with very high linear scalability.
The directory acts as the identity repository for employees, customers, training partners, subscribers, and other e-business entities just below the director use CX access, which is a comprehensive solution for access management and entitlement management, identity Federation, web services, security, and web singles, and on in one single product to protect your web applications and web services from unauthorized use. And last but not least, these biometrics also known as ID center provides for biometric authentication and recognizes a person's identity through fingerprint for biometric pattern ID center provides the reliable basis for determining who gets access to any number of software, applications and data.
So now let's have a closer look how the identity supports the ongoing processes for risk management and compliance initiatives. So in order to allow end users, managers, resource owners, and auditors to participate in identity governance processes, of course, central administrators need to set up the identity infrastructure and implement the according workflows. So the tasks are to discover, to manage the entitlement in different target systems or applications, and to create, or to manage business roles that hierarchically aggregate entitlements from different applications. Separating road management from user management allows to hide the complexity of right management from user management. Part of the identity governance processes are the re attestation or attestation access certification campaigns where DX identity provides campaign management and the according workflows to support and to provide the data to the end users or to the managers that take care of their employees. And of course, a very important aspect for identity governance processes is the management of the access policies that allows to delegate the decisions to the end users, to the managers and to the executives or auditors, and last but not least reporting is needed on all levels, both for the managers, but also for the central administrators of the identity infrastructure on the self-service side, on the delegated administration side, of course, the end users or the employees, they can request access privileges.
They participate in approval and access certification processes. They approve access requests. If there are some segregations of duties violations, they mitigate those violations. For example, by demanding that any access rights are only are only limited in times or after six months or after 12 months, they have to be, have to be renewed. And of course the executives and the auditors, there needs to have tools to create audit reports, which then can be archived. Let's have a closer look to one of the attestation processes. For example, there is one role in the road hierarchy, which is the accountant role where the security policy says that assignments to the accountant role need to be certified every six months. So the initial start every six months is that the certification campaign, which is of course defined by the central administrator is started for the role accountant and the role manager who is the owner of the role and has the decision responsibility for the, for the user assignment.
He gets the request by email, that new certification process has started and needs to be completed for example, within four weeks. So the role manager opens the window regarding the, the role assignments of the users to the roles in the DX identity web center and checks individually all the assignments and for each user, of course, has to decide if the access should be grounded is in accordance to the compliance and security policies, or should be revoked after the finishing of the completion of the certification process, the identity automatically processes, the finished certification review, and Steve provisions, the assignments that should be removed from the users and notifies the users of the removal. And at any time of that process of that certification process, a compliance office, or can monitor the campaign progress as can create reviews and reports also after the completion of the process. So this is just one example of how identity government supports the internal and external security policies that the company must adhere to.
So leaving the, the business segment of identity and access management solutions, and now we are coming to a more closer look to the deployment of what Martin has mentioned before of future proof, identity and access management solution. On this picture, you see here four different possible deployments and, and use cases for identity and access management solutions. I will lead you through all these four, and of course they are not deployed altogether, but they are alternatives. So number one, you see the on-prem the traditional on-premise scenario of identity access management solution within an enterprise or organization. So this is most of the case today, but there's a road that leads to more cloud aware, identity management and identity management from the cloud. The second example points number two here in this picture means that from an on-premise identity and access management solution, when the company is using cloud services like human capital management, or like supplier relationship management or customer relationship management, the internal identity and access management can provision these solutions and can provide identity Federation capabilities to extend the enterprise single on system with sample assertions into the cloud based applications.
The third example of where identity and access management solutions can be deployed is for cloud providers, for example, and this is really something which can be used in conjunction with on-premise and, and cloud supported identity and access management solution. If we look at service providers, so service providers needs to manage, for example, the internal privileged accounts or shared accounts that the administrators use to manage the systems, the platforms, the, the applications, the monitoring, the applications, and this is one field of identity and access management for the cloud for cloud operations. And last but not least the force example here in that picture means this will be maybe the future deployment, the future use case scenarios of identity and access management, where a cloud provider holds an identity and access management solution either individually for an enterprise, for an organization, or it's an on demand, identity and access management solution where enterprises can participate and other enterprises share the same service. And this is some multi tenant capability for multi tenant service. So which gives additional benefits on paper use and scalability within the cloud service provider.
So let's look at one example where SIS Siemens, it solutions and services already today provides cloud based service identity and access management from the cloud. And this is an example of an identity provider. So as I offer an identity provider service for Federation and singers and on as a cloud service, so where companies, enterprises organizations can extend their singers and on solution also to, to cloud based services, for example, through services from safe force or from success factors, human related applications that that may be used in enterprise environment, in a hybrid cloud environment together with on-prem applications, for example, and what I does here. And that example, it acts as an identity provider. It manages the digital identities of the customer. It's provides an authentication method, for example, username password, or one, one time password token. And it acts as the authoritative source for issuing authentication assertions and for validating identities.
And the, the customer value here is that SAS can provide a flexible accounting and billing model. So it's a pay per use model here. There's no need to transfer the Intel data of the users to external institutions. So there's no need to manage external identities for those cloud services, because they're all transported when the users access those cloud services with the sample assertions surgeons and the identity life cycle here of the internal, the users is extended to cloud services and external partners. And the real benefit for the end users is that the users sign on only once. And they have a very convenient interface to act and to also access not only Intel applications, but also cloud-based applications. So they not even recognize if they're working with an internal or with a cloud-based cloud-based application.
So let's summarize what the direct products are provide for a process driven and integrated solution for identity governance and provisioning. So especially this identity management provides the, the basis for all the it related automation and provisioning processes. For example, it provides the, the capabilities for doing data management from different authoritative sources. It provides the integration framework for also custom connectors, not only out of the box connectors to the, to the most prominent applications. It provides the connectors out of the box for identity sources like HR systems. It has a very comprehensive and deep integration with SAP systems, both are free and net SAP systems, and it does realtime provisioning of target systems for the process driven side S identity management provides the workflow management and the process definitions, for example, by rule based and event based processing of provisioning and, and role assignments, it has request workflows and approvals where end users can request additional access rights and where managers approve those access rights.
All the change management can be done scheduled or event based. It provides web services so that the identity core functionality can be integrated into Porwal. And it's integrates seamless with it. Service management, for example, with BMC remedy or HP open opens you as a service desk system. And on the business level, the identity management provides the capabilities and functionalities for the life cycle management of users and roles. This is all integrated into one single product. You can define functional and organizational roles. You can do context based role assignment. For example, project managers may have one role, but we'll get different entitlements depending on the projects they're working in, it provides role hierarchies and role inheritance, and of course, segregations of cuts to comply with regulations and on the reporting and access station and audit side, we have access certification campaigns for role assignments. We can manage these certification campaigns.
We do reconciliation of target systems, activity, monitoring of administrative and enforcement actions. And we provide tools and, and yeah, templates reports and the compliance dashboard to really have a nice look and feel to the ongoing compliance processes and the status of these processes. So with that, I give back to Roy purer who provides a summary for the Siemens it solutions, identity and access management. Thank you, Rudy. First, let me get into one, one picture here. One of the major challenges for cloud security is to achieve a complete picture on the operational and to strategic government aspects. So I offers consulting packages to provide cloud security, quick check, or in a second step, a complete cloud security assessment based on 27,000, of course, for the topics we discuss here, the focus areas are governance, governance and risk management compliance and audit strongest indication encryption, and of course, identity and access management in the area of identity and access management. This offers a complete chain of services starting this initial workshops over strategic E and consulting to architectural consulting, which can be delivered on premise can be a first step into the decision. What kind of identity and access management services make sense for the special business environment. And based on this, we deliver system integration support and up to project implementation and managed services.
Now let me summarize our webinar for business centric and cloud ready identity and access management, CIOs and customers states that security is one of the challenges to adopt cloud computing. Especially two main areas have to be considered the basic security, confidentiality, integrity availability, and the legal governance and compliance regulations, data protection laws, export controls, C specific regulations assist cloud security favor covers all these areas. Our consulting services help customers to understand their own security needs and how they can protect their data and comply the regulations, the specific offerings of identity and access management, if on premise or on demand complete the cloud security portfolio. And of course, for customers for most of the organization, a strong identity management implementation, maybe a prerequisite for efficient and secure way to the cloud. Thank you very much.
Thank you for the presentation. You kind with your side. Okay. You're muted. Perfect. So we directly go to the Q and a session that will make me present her again. And yeah, I think we have some, we'll have the first questions here and maybe you could then kindly start. So the attendees entering first question. So it would be, have a good Q and a session right now. I thought was the first question I here, which is the question directed to the speakers from Siemens for an in-house IM architecture. How is qua privacy arranged when using cloud services? Most cloud service providers conform to industry standards and certification, and how is this audited by the customer or by the providers own auditors.
Okay, thank you for the question. I think there is not an, an universal answer to this question, but of course the, what I, I assume is that normally based on an assessment of the internal risk, based on the isms system, the customer should identify their own risk levels also in the data privacy area. And ideally put the definition of security controls on this, into the contract with the cloud provider. Of course, there may be a different situation if you are a private user of a cloud service where you don't have so much influence on contractual issues, but in a business to business scenario, before you give your personal information into the cloud, definitely I would make sure that contractually my own securities priorities and levels are part of the service level agreements. And of course auditing is, can be external audit, but the big companies quite often ask for special audit capabilities and allowance. So my advice would be general following the normal parts, like with the non-cloud environment to set the risk levels, right. And then involve legal involves department to help you to shape the right contractual environment.
Okay. Thank you for this answer and pick the next question. Like I said, if you have first questions, please enter the questions using the questions include webinar control panel. Does. The next question is you've been talking about an hosted IM service. So will that service be an auto service in the future?
I think so the hosted service offering of SIS will as a secured enterprise strategic offering, be part of the service offerings, what part of the detailed offerings we will find under what main it's a little bit early to, to, to communicate now, but definitely all the in its press releases stated that identity centric solutions are the basis and a key differentiator for the offerings.
Okay. So from that perspective, I think it's a positive outlook in that direction. Another question I'd like to ask is if, if you look at your, your current customer base, how many of your customers, so person wise are currently really starting to support cloud services within there, IM infrastructure. So which do you use management, other things for cloud services? When you look at your existing customers?
I think percentage wise, what we see is that at least in the large organizations, I would say more than 25% are looking into cloud services. Not all are implementing them already, but what we see is of course that's a demand for getting the infrastructure ready for the cloud is growing. Yeah. So I think a lot of the customers are the process where so first questions comes from, how should I contain my level of risk management when I go to the cloud? Yeah. It's not a pure technical question. Of course. And therefore we offer based on our products, the technological solutions. So our customers are ready to take the step we test with cloud providers to make technical interability levels secure. The, the activation of the cloud services quite often depends on the contractual issues.
Okay. And maybe again, if there are any first questions presented in one there's, there's another one can components of various IM solutions be used together or integrated, for example, Siemens access management, some components of provided by no, or it two, let's say directory technology based or other things why you can't combine these things. So what could you combine with other technologies?
Sure. This is really speaking. Sure, sure. Components of different IM vendors can be combined together in a, in a best of breed solution of course, but it's a very typical situation. Martin, you mentioned before the, the ultimate goal would be one IM yeah. That's a very, very visionary and very long term wish I would think so. We incorporate the situation that for example, through mergers and acquisitions company have their existing identity and access management infrastructure, which need to be tied together. So this can be done either in a, in a, in a hierarchical way, or it can really be done on a, on a very balanced way. And of course, if you look at the product from, from different categories, like access management product, or like an identity management product, it's very easy to combine them in a heterogeneous solution. It's not so easy. If you look at the detailed, functional blocks up and identity management solution. So for example, if you want to have maybe a workflow running in a different system and, and do provisioning from another system, so this is not what we recommend. So we really recommend to have an integration on a, on a product level and not to drive the product capabilities on different products.
Yeah. Maybe a short, short edition from my eyesight. When I talk about one, I am, it means not to have one, one product for everything. I think the reality isn't and many architectures are already modular using different products of different vendors, because there were acquisitions, or there were some point solutions implemented in some area around SAP or in the Microsoft environment. So you end up frequently with having multiple products, but you should look at integrating these things and doing these things one. So that's what, what I think when I talk about one, I am it's about having and consistent. And from, from, from the, the processs from the, the controls from the governor's perspective, integrated approach can be very, very modular depending on your reality. And I think it's about when's providing the flexibility to, to work in either scenarios where you have sort of a one stop shopping as in scenarios where you have a lot of existing investments, which you have to integrate. And, but at the end of the day, it's about not saying, okay, I've done everything. For example, internally, right now I start the next IM again for my cloud services. It's about understanding that it, that has to be one consistent approach, one consistent strategy, one architecture with integration.
Okay. If there are no further questions, we are reaching the top of the hour. So also we are reaching a, the end of the webinar, and I'd like to thank all the attendees for listening to this, copy a call webinar I'd like to thank cool and love ringer for being speakers in this webinar. So thank you and have a nice day.
Thank you very much and good goodbye.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Erfolgreiche IAM-Projekte: Von Best Practices Lernen

Häufig beginnt die Suche nach einer Identity-Lösung mit einem ganz konkreten Schmerzpunkt im Unternehmen. Ein nicht bestandener Compliance-Audit wegen überhöhter Zugriffsberechtigungen, technische Probleme, wegen komplexer Systeme frustrierte User und eine…

Event Recording

The Role of Managed Security Service Providers (MSSPs) In Your Future IAM Application Landscape

Trying to “do identity” as a conventional IAM or Security workload with in-house resources and vendor platform deployments may not satisfy identity and access today’s requirements for IaaS, PaaS, databases and other cloud infrastructures. There are now a growing number of…

Event Recording

The IAM Fabric and How It Integrates With Your Cybersecurity Program

Architecture, operating model and governance are key viewpoints for every business as a whole and its subdomains as well. Depending of size of the organization, information security may be managed as single domain or divided into multiple subdomains. Viewpoints and domains are still static…

Event Recording

Identity Management and its key role in the Zero Trust strategy

Since any resource access is subjected to a “Zero Trust enabled” step-by-step process, where  policy engines define and enforce the appropriated access level, apart from device, network, identity systems and resources, we need also a “ZT enabled” identity…

Event Recording

Expert Chat: Interview with Neeme Vool

KuppingerCole CISO Christopher Schuetze engages in a fun discussion with Swedbank's Neeme Vool on what the future holds for Identity and Access Management.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00